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Un modele generique de contrats pour les 
systemes embarques 

Resume : Cc rapport presente les fondements mathcmatiques du modele de 
contrats concu dans lc cadre du projct SPEEDS. L'objectif du projct SPEEDS 
est de devclopper les outils et les mcthodcs supportant un "processus de concep- 
tion spculatif" , dans lequcl diffcrentes equipes de conception peuvent contribucr 
a la conception d'un systeme de fcpn concurrente, mais neanmoins controllee. 
Le modele de contrats concerne les comportements du systeme projete et per- 
met une modelisation de celui-ci par assemblage de "composants riches" , dont 
les differents aspects comportementaux sont decrits pas des ensembles contrats, 
regroupes par "points de vues". 

Mots-cles : conccpton systeme, conception par composants, conception par 
contrats, raisonncmcnt hypiothese-garantic 
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1 Introduction 

Several industrial sectors involving complex embedded systems design have re- 
cently experienced drastic moves in their organization — aerospace and automo- 
tive being typical examples. Initially organized around large, vertically inte- 
grated companies supporting most of the design in house, these sectors were 
restructured in the 80's due to the emergence of sizeable competitive suppliers. 
OEMs performed system design and integration by importing entire subsys- 
tems from suppliers. This, however, shifted a significant portion of the value to 
the suppliers, and eventually contributed to late errors that caused delays and 
excessive additional cost during the system integration phase. 

In the last decade, these industrial sectors went through a profound reor- 
ganization in an attempt by OEMs to recover value from the supply chain, by 
focusing on those parts of the design at the core of their competitive advan- 
tage. The rest of the system was instead centered around standard platforms 
that could be developed and shared by otherwise competitors. Examples of this 
trend are AUTOSAR in the automotive industry [T], and Integrated Modular 
Avionics (IMA) in aerospace [2J. This new organization requires extensive vir- 
tual prototyping and design space exploration, where component or subsystem 
specification and integration occur at different phases of the design, including 
at the early ones [3]. 

Component based development has emerged as the technology of choice to 
address the challenges that result from this paradigm shift. In the particu- 
lar context of (safety critical) embedded systems with complex OEM/supplier 
chains, the following distinguishing features must be addressed. First, the need 
for high quality, zero defect, software systems calls for techniques in which com- 
ponent specification and integration is supported by clean mathematics that 
encompassc both static and dynamic semantics — this means that the behav- 
ior of components and their composition, and not just their port and type 
interface, must be mathematically defined. Second, system design includes var- 
ious aspects — functional, timeliness, safety and fault tolerance, etc. — involving 
different teams with different skills using heterogeneous techniques and tools. 
Third, since the structure of the supply chain is highly distributed, a precise 
separation of responsibilities between its different actors must be ensured. This 
is addressed by relying on contracts. Following [3] a contract is a component 
model that sets forth the assumptions under which the component may be used 
by its environment, and the corresponding promises that are guaranteed under 
such correct use. 

The semantic foundations that we present in this paper are designed to 
support this methodology by addressing the above three issues. At its basis, 
the model is a language-based abstraction where composition is by intersec- 
tion. This basic model can then be instantiated to cover functional, timeliness, 
safety, and dependability requirements performed across all system design lev- 
els. No particular model of computation and communication is enforced, and 
continuous time dynamics such as those needed in physical system modeling is 
supported as well. On top of the basic model, we build the notion of a contract, 
which is central to our methodology, by distinguishing between assumptions and 
promises. This paper focuses on developing a generic compositional theory of 
contracts, providing relations of contract satisfaction and refinement called dom- 
inance, and the derivation of operators for the correct construction of complete 
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systems. In addition to traditional parallel composition, and to enable formal 
multi-viewpoint analysis, our model includes boolean meet and join operators 
that compute conjunction and disjunction of contracts. We also introduce a new 
operator, called fusion, that combines composition and conjunction to compute 
the least specific contract that satisfies a set of specifications, while at the same 
time taking their interaction into account. 

The paper is organized as follows. The principles of our approach are pre- 
sented in Section [21 Contracts and implementations are introduced in Section [3] 
and corresponding operations are studied in Section 21 The concept of rich 
component is formalized in Section by introducing the contracts attached to 
it. In Section \E\ we formalize the concept of designer responsibilities through 
the notion of controlled/uncontrolled port and we refine our theory of contracts 
accordingly. How we encompass the different viewpoints is sketched in Scction[7] 
and related work is discussed in Section [8] 

2 Principles of Assume/Guarantee Reasoning 

The main element of our semantic model is a Heterogeneous Rich Component, 
or simply a component. A component consists of an interface, its expected be- 
havior, and, optionally, one or more implementations. The interface is a set of 
ports and flows, used by the component to communicate with the rest of the 
system and with the environment. The expected behavior is described by one or 
several assumption / promise pairs, called contracts. Contracts can be combined 
together using three composition operators: greatest lower bound, parallel com- 
position and fusion. The greatest lower bound is used to compose contracts 
referring to the same component and which use only variables and flows visible 
from the environment. Parallel composition is used to compute the contract 
resulting from the composition of several components. Fusion generalizes these 
two operators, and is capable of handling all cases. In particular, it is used to 
compose contracts whenever the greatest lower bound and parallel composition 
operators are inappropriate, for instance when contracts share local variables or 
flows. Thus, fusion is the implicit composition of contracts, whenever more than 
one contract is attached to a component. Implementations may be attached to 
a component, and are usually expressed as extended state machines, or as host 
tool models. We define several relations between components, contracts and 
implementations. 

• The compatibility relation relates sets of components. A set of compo- 
nents are incompatible whenever for all environments, at least one of the 
assumption of at least one component is violated. 

• Contract dominance relates assumptions and promises of two contracts. A 
contract dominates another when it has weaker assumptions and stronger 
promises. 

• Satisfaction relates implementations to contracts. An implementation sat- 
isfies a contract whenever its behavior, modulo the assumptions, are con- 
sistent with the promises. 

• Refinement relates implementations. An implementation refines another 
whenever it has fewer behaviors. 
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Throughout this paper we shall need an abstract notion of "assertion" . The 
only facts we need to know about assertions can be summarized as follows: 

• Each assertion E possesses a set of ports and a set of variables that are 
the vehicle for interaction. 

• An assertion is identified with the set of runs it accepts. A run assigns 
a history to each variable and port of the assertion. We assume that a 
proper notion of "complement" for an assertion E is available, denoted by 
-iE. 

• When seen as sets of runs, assertions compose by intersection — note that 
such an operation is monotonic w.r.t. inclusion of sets of runs. When 
performing this composition, we assume that the appropriate inverse pro- 
jections have been performed to equalize the sets of ports and variables. 
Products are equivalently denoted by E\ x E^ or E\ n E^. 

3 Rich Components, Contracts, Implementations 

Definition 1 (Implementation). An implementation is simply an assertion, 
that is, a set of runs. 

We denote implementations by the symbol M (for "machine"). Implemen- 
tations are ordered according to the runs they contain. An implementation M 
refines an implementation M', written M < M' if and only if M and M' are 
defined over the same set of ports and variables, and 

M C M'. 

Products preserve implementation refinement. 

A contract says that under certain assumptions, behaviors are guaranteed 
to be confined within a certain set. 

Definition 2 (Contract). A contract C is a pair (A,G), where A, the assump- 
tion, and G, the promise, are assertions over the same alphabet. 

Whenever convenient, we shall denote the assumption and promise of con- 
tract C by Aq and Gc ■ The interpretation of a contract is made precise by the 
following definition. 

Definition 3 (Satisfaction). An implementation M satisfies a contract C — 
(A, G), written M \= C , if and only if 

Mnic G. 

Satisfaction can be checked using the following equivalent formulas, where 
-i A denotes the set of all runs that are not runs of A: 

M\=C MCGUni ^> M n (A n -iG) = 

There exists a unique maximal implementation satisfying a contract C, namely: 

M c = GUni (1) 
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Definition 4 (Rich Component). A rich component is a tuple 

RC = (X,{C},[M]) 



(2) 



In fl|], X is the name of the rich component, {C} is a (possibly empty) set of 
contracts, and [M] is an (optional) implementation such that [M] \= {C}, where 
the meaning of the latter property is postponed to Definition \l(A 



Canonical forms Note that Mq is to be interpreted as the implication A 
G. We have that M \= (A, G), if and only if M (= {A,M C ), if and only if 
M C Mc- Say that contract C = (A,G) is in canonical form when G = Mq, 
or, equivalently, when ->A C G or when ->G C A. Thus, every contract has 
an equivalent contract in canonical form, which can be obtained by replacing 
G with Mq- Hence, working with contracts in canonical form does not limit 
expressiveness. The operation of computing the canonical form is well defined, 
since the maximal implementation is unique, and it is idempotent. 



In the following, we assume that 
all contracts are in canonical form. 



(3) 



This assumption serves two purposes: (i) To have a unique representation 
of contracts, considered up to equivalence, (ii) To simplify the definition of 
contract composition operators. 

Example 1 (Running example: control/monitoring unit). Throughout this 
paper, we develop the system of Figure [1] to illustrate our notion of contract 
and its use. It consists of a control unit interacting with a monitoring unit. The 
system is subject to two independent faults, f\ for the control unit, and fi for 
the monitoring unit. The nominal behavior of the system (when f\ = F) is that 



x = (a V/i) A 6 



Control Unit 



y — if ->a A x then /2 else x 



Monitoring Unit 



Figure 1: Running example: control/monitoring system. 

it should deliver y — a A b at its output. When safe (/2 = F), the monitoring 
unit ensures that, if the control unit gets faulty (/i = T), the overall system is 
shut down (y = F) unless a = T holds. Thus the overall system requirement is to 
maintain the Top Level Exception TLE = ->aAy false. This TLE may, however, 
get violated if the monitoring unit gets faulty too (/2 = T). These requirements 
are summarized by the two contracts C, for the nominal mode, and C' for the 
exception mode: 

C = (->fi,y=aAb) : nominal mode 
C" = ( -./ 2 , -TLE ) : exception mode 

This separation of concerns into nominal and exception mode is similar to the 
separation of viewpoints (functional, timed, safety, etc) when handling compo- 
nents via their contracts. 
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4 Operations on contracts 

4.0.1 Boolean algebra 

As usual, it will be extremely useful to have an algebra of contracts, providing 
ways of expressing more complex contracts from simpler ones. The follow- 
ing relation of dominance formalizes substituability for contracts and induces a 
boolean algebra of contracts, which provides such a logic of contracts. 

Definition 5 (Dominance). Say that contract C = (A, G) dominates contract 
C' = {A', G'), written C <G' , if and only if AD A' and G C G' . 

Dominance amounts to relaxing assumptions and reinforcing promises. Note 
that C -<C' and C' <C together imply C = C'. Hence, dominance is a partial 
order relation. Furthermore, 

C <C' =► M c (= C' (5) 

but the converse is not true. Property ([5]) implies the following result: 

Lemma 6. If M \= C and G <C' , then M |= C' . 

The following theorem defines the boolean algebra over contracts, implied 
by di- Its proof is straightforward and left to the reader. 

Theorem 7 (Boolean algebra of contracts). Let C\ — (Ai,G\) and C 2 — 
{Ai^G-i) be contracts. Then, the greatest lower bound of G\ and Ci, written 
C = Ci n C 2 , is given by C — (A, G) where A = A x U A 2 and G = G\ n G 2 . 
Note that the so defined pair (A, G) is in canonical form. 

Similarly, the least upper bound of G\ and C% , written C = C\ U Ci , is given 
by C' = (A',G') where A = A t C\A 2 and G = Gi UG 2 . Note that the so defined 
pair (A, G) is in canonical form. 

The minimal and maximal contracts are _L = (1Z, 0) and T = (0,7?.) , respec- 
tively, where 1Z denotes the set of all runs. 

Finally, the complement of C is the contract ->C such that ->C = (~>A, ~<G); 
it satisfies -iC n C = 1 and ->C U C = T. 

Example 2 (Running example: greatest lower bound). The two contracts of 
((!]) represent two viewpoints attached to a same component, corresponding to 
the nominal and exception modes, respectively. These two contracts involve the 
same set of ports. Combining them is by computing their greatest lower bound. 
Putting these two contracts in canonical form and then taking their greatest 
lower bound yields: 



C n C' = -.(A a h) , 



->/i => y = a A b 

A 

->/2 =^ -TLE 



This contract assumes that no double failure occurs. Its promise is the con- 
junction of the promises of C and C'. Expanding the promise of this global 
contract leads to a cumbersome formula, hardly understandable to the user, so 
we discard it. 
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4.0.2 Parallel composition 

Contract composition formalizes how contracts attached to different rich com- 
ponents should be combined to represent a single, compound, rich component. 
Let Ci = (Ai,Gi) and C 2 = (A 2 ,G 2 ) be contracts. First, composing these two 
contracts amounts to composing their promises. Regarding assumptions, how- 
ever, the situation is more subtle. Suppose first that the two contracts possess 
disjoint sets of ports and variables. Intuitively, the assumptions of the compos- 
ite should be simply the conjunction of the assumptions of the rich components, 
since the environment should satisfy all the assumptions. In general, however, 
part of the assumptions A\ will be already satisfied by composing C± with C 2 , 
acting as a partial environment for C\. Therefore, G 2 can contribute to relaxing 
the assumptions A\ . And vice- versa. Whence the following definition: 

Definition 8 (Parallel composition of contracts). Let C\ = {A\,Gi) and C2 = 
{A21G2) be contracts. Define C\ 1 1 C 2 to be the contract C = (A, G) such that: 

A = (AinA 2 )u-.(G 1 nG 2 ), 
G = G\ n G2 • 

Note that the so defined contract is in canonical form. 

The following result expresses the compositionality of the implementation 
relation: 

Lemma 9. Mi \= C\ and M 2 \= C 2 together imply Mi x M 2 \= C\ || C 2 . 

Proof: The assumption of the lemma means that Mi C Mc i: for i = 1,2. 
Since the two contracts are in canonical form, we have Mc t = Gi and the result 
follows directly from Definition [HI DThe following lemma 

relates greatest lower bound and parallel composition, it relies on the fact that 
we work with contracts in canonical form: 

Lemma 10. For any two contracts, C\ V\ C 2 d Ci II G 2 . 

Proof: Both sides of this relation possess identical promises. Thus the 
only thing to prove relates to the assumptions thereof. From Definition [H] 
and Theorem [7J the assumption of C\ l~l C 2 is equal to A\ U A 2 , whereas 
the assumption of G\ || C 2 is equal to {A\ ("1 A 2 ) U ->(Gi C\G 2 ). Since the 
two contracts are in canonical form, we have ->Gi C Ai,i = 1,2, and thus 
-.(Gi nG 2 ) = ->C?i U ^G 2 C AiUi 2 - Therefore, the assumption of Ci \\ C 2 
is contained in A\ U ^2, which is the assumption of C\ r\C 2 . This proves the 
lemma. □ 

Example 3 (Running example: compositional reasoning). In Example we 
have shown how to combine the two nominal and exception viewpoints, for 
the overall system of Figure [T] The system further decomposes into a control 
and monitoring unit. We would like to associate contracts to each of these 
components, for each of their viewpoint. Composing these contracts, we should 
recover the system's overall contract. 

Since the system is the parallel composition of control and monitoring units, 
we may reasonably expect that the parallel composition of contracts, for each of 
these components, should be used. However, we are also combining viewpoints 
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for these two components and this sould be performed by the greatest lower 
bound. So, which is the correct answer? The new notion of contract fusion we 
shall introduce in the following section will provided the adequate answer. Prior 
to introducing this notion, we need to investigate what it means to eliminate 
ports in contracts. o 



4.0.3 Eliminating ports in contracts 

Elimination in contracts requires handling assumptions and promises differently. 

Definition 11 (Elimination). Let C = (A,G) be a contract and let p be any 
port. Define the elimination of p in C by: 

[C] p = (y P A,3 P G) 

where A and G are seen as predicates. 

Note that we do not require that p be a port of C. Definition [TT1 is motivated 
by the following lemma: 

Lemma 12. We have C -< [G] . Furthermore, let M be an implementation 
such that M (= C and p is not a port of M . Then, M \= [C] . 

Proof: By definition, M \= C implies M D A C G. Eliminating p, with V 
on the left hand side and 3 on the right hand side, yields [Vp (M n A)] C [Bp G] 
and the lemma follows from the fact that Vp (M PI A) = M {VpA) if p is not 
a port of M. DThc following lemma relates elimination and greatest lower 
bounds: 

Lemma 13. For any two contracts C\ and G 2 and any port p, we have: 

[C 1 nc 2 ] p * [Ci] p n[C 2 ] p (6) 
[Ci II C 2 ] p ± [C,] p || [C 2 ] p (7) 

Proof: We have Vp{A 1 UA 2 ) 3 (Vp A x \Jip A 2 ) and Bp (GinG 2 ) Q (3pGi n BpG 2 ), 
which proves © as well as the promise part of ([7])- Regarding the assumption 
part of ((7|, we need to prove 

A [Ci II c 2 ] p 3 A ([ c 1 ] p || [c 2 ] p ) (8) 

where 

A [Cl \\c 2 ) p = Vp((Ai C\A 2 ) U-.(Gi nG 2 )) 
A (lCi] p \\ [c 2 ] p ] = (VpAi n\/ P A 2 ) u-.(3pGi n3pG 2 ) 

WehaveVp((A 1 n^ 2 )U-(GinG 2 )) 2 (Vp (Ai n A 2 )) U (Vp-i(Gi n G 2 )) = 
(VpAinVp^ 2 )U-(3p(Gi nG 2 )) 2 (VpAinVpA 2 )U-(3pGi n3pG 2 ). Which 
proves ([8|) and the lemma. □Elimination trivially extends to finite sets of 

ports, we denote it by [C] P , where P is the considered set of ports. 
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5 Set of contracts associated to a rich compo- 
nent 

We are now ready to address the case of synchronizing viewpoints when local 
ports are shared between viewpoints. More precisely, we shall formally define 
what it means to consider a set of contracts associated to a same rich component. 

Definition 14 (Fusion). Let (Cj)jgj be a finite set of contracts and Q a finite 
set of ports. We define the fusion of (Ci)ig/ with respect to Q by 

m) ieI i Q = n, 7 c/[ii, 6J Q] Q (9) 

where J ranges over the set of all subsets of I. 

The following particular cases of Definition [Til are of interest: 
Lemma 15. 

1. When Q = 0, the fusion reduces to the greatest lower bound: 

muih = (io) 

In particular, M \= [(Ci)i£/]0 implies M j= Ci for each i G I . 

2. Assume that, for i = 1,2: 

Ai D G\ n G-i (11) 

holds. Then: 

[(Cfc)<e{i,a}l0 = Ci || C 2 (12) 

3. Assume that, for i = 1,2: 

VQ(AiU-G) D VQ(AxUA 2 ) (13) 
holds, where C\ || C% = (A, G). Then: 

[(Ci)* e{ i, 2 }k = [Ci\\C 2 ] Q (14) 

Condition (|lip expresses that each rich component is a valid environment 
for the other rich components; in other words, the two contracts are attached 
to two rich components that together constitute a valid closed system. Con- 
dition (|13|) expresses that the restriction to Q of each component is a valid 
environment for the restriction to Q of the other component. This situation 
corresponds to two rich components interacting through ports belonging to Q, 
which arc subsequently hidden from outside. Proof: We successively prove the 
three statements. 

Statement [JJ results immediately from Lemma 1101 

To prove (TT2")) in Statement O note that the two expressions only differ 
by their assumptions, since the promises of greatest lower bound and parallel 
composition are identical. For the assumptions, let C\ || Ci = (A, G) and 
d n C 2 = (A', G). We have G = G x n G a , A = {A 1 n A 2 ) U -G, and A' = 



INRIA 



A Generic Model of Contracts for Embedded Systems 



11 



(AiUA 2 ). From JTT]) we get ->G D -i(Ai n A 2 ). Therefore, A = (AinA 2 )U^G 3 
(Ai n A 2 ) u -.(^i n A 2 ) ~TZ^ A'. 

Regarding Statement CEO) implies VQ ((Ai n A 2 ) U -.G) D VQ (Ai U A 2 ). 
Whence (fT4")) follows. DThe lesson is that 

fusion boils down to parallel composition for contracts attached to two different 
sub-components of a same compound component, whereas contracts attached to 
a same component and involving the same set of ports fuse via the operation of 
greatest lower bound. The general case lies in between and is given by formula 
([9|). Finally, the various relations that we have established between greatest 
lower bound, parallel composition, and elimination, allows us to simplify the 
actual evaluation of the fusion in general. Corresponding heuristics to guide 
this remain to be developed. 

Definition 0] for rich components can now be completed. 

Definition 16 (Rich Component, completed). Let RC = (X, {C} , [M]) be a 
rich component. Say that 

[M}\={C} iff [M] \= [(Cf ),-£/] q, 

where I indexes set {C}, and set Q collects the ports of {C} that are local to 
RC. 

Example 4 (Running example: fusion of contracts). We shall perform a com- 
posability study for the two contracts C and C, and then for their fusion [C, C'\ . 

Study of C Consider the following two contracts, for the control and mon- 
itoring unit, respectively C\ = (~<fi , [x = a A b]) and C 2 = ( ~^<p , y = x), 
where 9 = naAi. Contract G\ states that, if not faulty, the control unit guar- 
antees that -tip holds, i.e., invariant a V -*x holds. Contract C 2 states that the 
monitoring unit guarantees that, if not faulty, y = x holds unless ip does not 
hold. Putting these two contracts in canonical form and then computing their 
fusion yields 

Ci = (^f 1 ,^f 1 ^[x = aAb\) 
C 2 = (-up, -up =>■ y = x) 
[Ci] x = (-/i,T) 

[CaL = ( F 7 T ) 
[C 1 \\C 2 ] X = (-./iAP,-/i=*»|j/ = oAfc]) 

where P is some predicate (which wc don't care about), from which wc obtain, 
provided that C is put in canonical form, 

\C U C 2 \ X = [d] x n [C 2 ] x n [d || C 2 ] x = [d || C 2 ] x = C 

Study of C Now, let us focus on the other contract C, by proposing the 
following two local contracts, for the control and monitoring unit, respectively 
C[ = ( F , T ), and C 2 = ( -*f 2 , [y = x A a] ). The first contract is trivial, and 
the second one states the invariant promised if the monitoring unit is not faulty. 
Wc first have 

[C[} x = C[ and [C' 2 ] x = (n/ a , -n/ a ^TLE ). (15) 
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Second, G[ nG' 2 = ->/ 2 =^ [y = xAa], whence 3x : (G[ nG 2 ) = -./ 2 -.TLE. 
Next, (Ai nA 2 )LM(Gi nG 2 ) = -.(GinG 2 ), which equals -.(->/ 2 [y = xAa]), 
whence 

Vx : ((A 1 ! n A' 2 ) U ^(Gi n G 2 )) = -.(3x : (G[ n G' 2 )) 

= TLE A -./ 2 (16) 

Finally, Ip jl -lp jt together prove that [C{, C' 2 \ x = G'. 

Study of [G, C'J The remarkable point is that composability works both 
across components, and viewpoints/modes, i.e., we have [G, C'J = [Gi, G 2 , C[ , G 2 ] 

o 

6 The asymmetric role of ports 

So far we have ignored the role of ports and the corresponding splitting of 
responsibilities between the implementation and its environment, see the dis- 
cussion in the introduction. Such a splitting of responsibilities avoids the com- 
petition between environment and implementation in setting the value of ports 
and variables. 

Intuitively, an implementation can only provide promises on the value of the 
ports it controls. On ports controlled by the environment, instead, it may only 
declare assumptions. Therefore, we will distinguish between two kinds of ports 
for implementations and contracts: those that are controlled and those that 
are uncontrolled. The latter property is formalized via the following notion of 
receptiveness: 

Definition 17 (Receptiveness). For E an assertion, and P' C P a subset of 
its ports, E is said to be P' -receptive if and only if for all runs a' restricted to 
ports belonging to P' , there exists a run in a of E such that a' and a coincide 
over P' . 

In words, E accepts any history offered to the subset P' of its ports. Note 
that: 

Lemma 18. If E is P' -receptive, then so is EUE' for any E' having no extra 
ports or variables than those of E. 

In some cases, different viewpoints associated with a same rich component 
need to interact through some common ports. This motivates providing a scope 
for ports, by partitioning them into ports that are visible (outside the underlying 
component) and ports that are local (to the underlying component). 

Definition 19 (Profile). A profile is a J^-tuple ir = (vis, loc, u, c), partitioning 
P as 

P = vis tt) loc = { visible} W {local} 

P = u l+J c = {uncontrolled} ttJ {controlled} 

We are now ready to refine our theory of contracts by taking the asymmetric 
role of ports into account. 
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Definition 20 (Implementation). An implementation is a pair M = (w,E), 
where tt — (vis, loc, u, c) is a profile over a set P of ports, and E is a u-receptive 
assertion over P. 

The last requirement formalizes the fact that an implementation has no 
control over the values of ports set by the environment. Implementations refine 
as follows: 

Definition 21 (Implementation Refinement). For M and M' two implemen- 
tations, say that M refines M' , written M ■< M' , if and only if ir = n' and 
E C E'. 

In defining parallel composition for implementations, we need to take into 
account controlled ports. Each implementation is responsible for its set of con- 
trolled ports, and, in our theory, such responsibility should not be shared. 
This motivates the following definition for our parallel composition of imple- 
mentations associated with different rich components (whence the requirement 
loci fl I0C2 = in this definition): 

Definition 22 (Parallel composition of implementations). Let M\ and M2 be 

two implementations such that loci l~lloc2 = 0. Then, M = Mi \ \ M% is defined 
if and only if c\ n C2 = 0. In that case, E = E\ x E2, and: 

vis = visi U vis2 c = ci U C2 

loc = loci U I0C2 u = (ui U U2) — (ci U C2) 

Theorem 23. Implementation composition is monotonic relative to implemen- 
tation refinement. 

Proof: Since profiles refine via identity, this results boils down to the well 
known monotonicity w.r.t. sets of runs. □ 

Definition 24 (Contract). A contract is a triple C = (tt,A,G), where tt — 
(vis, loc, u, c) is a profile over a set P of ports, and A and G are two assertions 
over P, respectively called the assumptions and promises of C . C is called 
consistent if G is u-receptive, and compatible if A if c-receptive. 

As pointed out in ([3]), contracts are in canonical form, meaning that G D ->A. 
If this is not the case, we simply replace G by its most permissive version GU^A, 
which cannot per se break consistency, thanks to Lemma [TH] The sets A and 
G are not required to be receptive. However, if G is not u-receptive, then the 
promises constrain the uncontrolled ports of the contract. This is against our 
policy of separation of responsibilities, since we stated that uncontrolled ports 
should remain entirely under the responsibility of the environment. Correspond- 
ing contracts are therefore called inconsistent. 

Definition 25 (Satisfaction). An implementation M satisfies contract C, writ- 
ten M \= C, iff it m — 7r<7 and Em C Gc- 

By Lemma [TS1 if contract C is consistent, then Mc = Gc U ~^Ac is still the 
maximal implementation satisfying C. We now turn to the relation of dominance 
and its consequences. 
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Definition 26 (Contract Dominance). A contract C = (%,A,G) dominates a 
contract C = (tt,A',G'), written C ^ C , if and only if tt — tt' , A D A', and 
G C G'. 

Theorem 27 (Boolean algebra of contracts). Let C\ = (tti, A\, G\) and C2 = 

(tt2, A2, G2) be contracts such that tt\ = TT2 = t- Then C =(tt, A\ U A2, G\ (~l G2) 
is the greatest lower bound of C\ and C2, written C — C\ l~l C2. Similarly, 
C' = (tt,A\ (~1 A2-,G\ U G2) is the least upper bound of C\ and C2, written 
C = C\ n C2 ■ Finally, the complement of C — (tt, A, G) is ->C = (tt, ->A, ->G) . 

Proof: This is a direct consequence of Theorem [7] □ 
Finally, it remains to define the parallel composition of contracts. Having 
done this we can directly borrow the definition [14] of fusion, for contracts en- 
hanced with profiles. 

Definition 28 (Parallel composition of contracts). Let C\ = (tti, A\,G\) and 
C2 = (tt2, A2,G2) be contracts. The parallel composition, or product, of C\ and 
C2, written C = G\ || G%, is defined if and only if Ci n C2 = 0, and in that case 
is the contract C = (tt, A, G) defined by: 

vis = visi U vis2, 

loc = (loci U I0C2) — (visi U vis2), 

c = CiUc 2 , 

u = (ui Uu 2 ) - (ci Uc 2 ), 

A = (A 1 nA 2 )u^(G 1 r\G 2 ), 
G = G\ n G2 • 

Unlike Definition [22j we do not require here that loci (~lloc2 = 0. The reason 
is that we wish to encompass the composition of different viewpoints attached 
to a same rich component. (For contracts attached to different rich components, 
however, we do have loci n I0C2 = 0.) 

With parallel composition, we can formalize the notion of contract compat- 
ibility. Recall that a contract is compatible whenever A is c-receptive. If not, 
then there exists a sequence of values on the controlled ports that are refused by 
all acceptable environments. However, by our definition of satisfaction, imple- 
mentations are allowed to output such sequence. Unreceptiveness, in this case, 
implies that a hypothetical environment that wished to prevent a violation of 
the assumptions should actually prevent the behavior altogether, something it 
cannot do since the port is controlled by the contract. Therefore, unreceptive 
assumptions denote the existence of an incompatibility internal to the contract, 
that cannot be avoided by any environment. This justifies the following defini- 
tion. 

Definition 29 (Compatibility). Two contracts C\ and C2 are compatible if 
and only the assumption of their parallel composition is receptive with resepct 
to the controlled ports. 

Assumptions may become unreceptive as a result of a parallel composition 
even if they are not so individually. This is because the set of controlled ports 
after a composition is strictly larger than before the composition. In particular, 
ports that were uncontrolled may become controlled, because they are controlled 
by the other contract. 
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Note that consistency and compatibility may not be preserved by Boolean 
operations. For example, one obtains an inconsistent contract when taking the 
greatest lower bound of two contracts, one of which promises that certain be- 
haviors will never occur in response to a certain input, while the other promises 
that the remaining behaviors will not occur in response to the same input. Both 
contracts have legal responses to the input, but their intersection is empty, thus 
making the combination unreceptive. In this case, inconsistency is due to two 
contracts making inconsistent promises. 

7 Addressing Multiple Viewpoints 

An important question is: can our abstract notion of "assertion" encompass the 
different functional and non-functional viewpoints of system design? Since as- 
sertions are just sets of runs, we can, in particular, accomodate hybrid automata 
following [5]. So seemingly, we can in particular support functional, timeliness, 
safety, as these can be modeled by specific subclasses of hybrid automata. 

A closer investigation reveals that we need to deal with classes of models 
that are stable under parallel composition (defined by intersection), union, and 
complement. Taking complements is a delicate issue: hybrid automata are not 
closed under complementation; in fact, no model class is closed under comple- 
mentation beyond deterministic automata. To account for this fact, various 
countermeasures can be considered. 

First, the designer has the choice to specify either E or its complement -J3 
(e.g., by considering observers). However, the parallel composition of contracts 
requires manipulating both E and its complement ->E, which is the embarrasing 
case. To get compact formulas, our theory was developed using canonical forms 
for contracts, systematically. Not enforcing canonical forms provides room for 
flexibility in the representation of contracts, which can be used to avoid ma- 
nipulating both E and -iE at the same time. A second idea is to redefine an 
assertion as a pair {E,E). where E is an approximate complement of E, e.g., 
involving some abstraction. In doing so, one of the two characteristic properties 
of complements, namely E n E = or E U E = T, do not hold. However, 
either necessary of sufficient conditions for contract dominance can be given. 
The above techniques are the subject of ongoing work and will be reported 
elsewhere. 

8 Related Work 

The notion of contract derives from the theory of abstract data types, first sug- 
gested by Meyer in the context of the programming language Eiffel j6|. In his 
work, Meyer introduces preconditions and postconditions as assertions for the 
methods of a class, and invariants for the class itself. Preconditions correspond 
to the assumptions under which the method operates, while postconditions ex- 
press the promises at method termination, provided that the assumptions are 
satisfied. Invariants must be true at all states of the class regardless of any 
assumption. To guarantee safe substitutability, a subclass is only allowed to 
weaken the assumptions and to strengthen the promises. 
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Similar ideas were in fact, already present in earlier work by Dill, although 
phrased in less explicit terms [7] . Dill proposes an asynchronous model based on 
sets of sequences and parallel composition (trace structures). Behaviors (traces) 
can be either accepted as successes, or rejected as failures. The failures, which 
are still possible behaviors of the system, correspond to unacceptable inputs 
from the environment, and are therefore the complement of the preconditions. 
Safe substitutability is expressed as trace containment between the successes 
and failures of the specification and the implementation. Wolf later extended 
the same technique to a discrete synchronous model [8]. More recently, De 
Alfaro and Henzinger have proposed Interface Automata which are similar to 
synchronous trace structures, where failures are implicitly all the traces that are 
not accepted by an automaton representing the component [5]. Composition is 
defined on automata, rather than on traces, and requires a procedure to restrict 
the state space that is equivalent to the process called autofailure manifestation 
of Dill and Wolf. A more general approach along the lines proposed by Dill 
and Wolf is the work by Negulescu with Process Spaces [TO], and by Passerone 
with Agent Algebra [TJJ , both of which extend the algebraic approach to generic 
behaviors introduced by Burch [T2] . 

Our notion of contract supports speculative design in which distributed 
teams develop partial designs concurrently and synchronize by relying on the 
notions of rich component [1] and associated contracts. We define assumptions 
and promises in terms of behaviors, and use parallel composition as the main 
operator for decomposing a design. This choice is justified by the reactive nature 
of embedded software, and by the increasing use of component models that sup- 
port structured concurrency. We developed our theory on the basis of assertions, 
i.e., languages of generic "runs". To achieve the generality of a (mathematical) 
metamodel we have complemented this by developing a concrete model for such 
assertions, that encompasses the different viewpoints of the design [T5] . 

In our approach, behaviors are decomponsed into assumptions and promises, 
as in Process Spaces, a representation that is more intuitive than, albeit equiv- 
alent to, the one based on the successes and failures of asynchronous trace 
structures. Unlike Process Spaces, however, we explicitly consider inputs and 
outputs, which we generalize to the concept of controlled and uncontrolled sig- 
nals. This distinction is essential in our framework to determine the exact role 
and responsibilities of users and suppliers of components. This is concretized 
in our framework by a notion of compatibility which depends critically on the 
particular partition of the signals into inputs and outputs. We also extend the 
use of receptiveness of asynchronous trace structures, which is absent in Process 
Spaces, to define formally the condition of compatibility of components for open 
systems. 

Our refinement relation between contracts, which we call dominance to dis- 
tinguish it from refinement between implementations of the contracts, follows 
the usual scheme of weakening the assumption and strengthening the guar- 
antees. The order induces boolean operators of conjunction and disjunction, 
which resembles those of asynchronous trace structures and Process Spaces. In 
addition, we also define a new fusion operator that combines the operation of 
composition and conjunction for a set of contracts. This operator is introduced 
to make it easier for the user to express the interaction between contracts related 
to different viewpoints of a component. 
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The model that we present in this paper is based on execution traces, and is 
therefore inherently limited to representing linear time properties. The branch- 
ing structure of a process whose semantics is expressed in our model is thus 
abstracted, and the exact state in which non-deterministic choices are taken 
is lost. Despite this, the equivalence relation that is induced by our notion of 
dominance between contracts is more distinguishing than the traditional trace 
containment used when executions are not represented as pairs (assumptions, 
promises). This was already observed by Dill, with the classic example of the 
vending machine [7], see also Brookes et al. on refusal sets [14]. There, every 
accepted sequence of actions is complemented by the set of possible refusals, 
i.e., by the set of actions that may not be accepted after executing that partic- 
ular sequence. Equivalence is then defined as equality of sequences with their 
refusal sets. Under these definitions, it is shown that the resulting equivalence is 
stronger than trace equivalence (equality of trace sets), but weaker than obser- 
vation equivalence |15l 116] . A precise characterization of the relationships with 
our model, in particular with regard to the notion of composition, is deferred 
to future work. 

9 Conclusion 

We have presented mathematical foundations for the contract-based model de- 
veloped in the framework of the SPEEDS project. Our generic mathematical 
model of contract supports "speculative design". This is achieved by focus- 
ing on behaviors, by supporting the notion of rich component where diverse 
(functional and non-functional) aspects of the system can be considered and 
combined, by representing rich components via their set of associated contracts, 
and by formalizing the whole process of component composition through the 
general mechanism of contract fusion. These foundations support the Heteroge- 
neous Rich Component (HRC) mctamodel under development in SPEEDS [13] . 
Future work includes the development of effective algorithms to handle con- 
tracts, coping with the problems raised by complementation. 
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